splitforms.com
Get free key
guide · captcha & spam

reCAPTCHA vs hCaptcha — Which to Use in 2026

Both reCAPTCHA and hCaptcha solve the same problem: blocking bot submissions. reCAPTCHA is free with Google data harvesting. hCaptcha is paid (or free with ads) with stronger privacy. For most forms, neither is the right answer — use a honeypot instead.

html
<!-- For comparison: a form using NEITHER captcha, instead using an
     invisible honeypot + splitforms's AI spam classifier. -->
<form action="https://splitforms.com/api/submit" method="POST">
  <input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />

  <input name="name" required />
  <input name="email" type="email" required />
  <textarea name="message" required></textarea>

  <!-- Honeypot: bots fill it, humans never see it -->
  <input type="checkbox" name="botcheck" style="display:none" tabindex="-1" />

  <button type="submit">Send</button>
</form>

<!-- No external JS. No third-party tracking. No CAPTCHA puzzle. -->

reCAPTCHA (Google) and hCaptcha (Intuition Machines) are the two dominant CAPTCHA providers. Both work by asking the user to solve a puzzle (identify traffic lights, select crosswalks) or by silently scoring the user's behavior and blocking submissions with low scores. Both add friction, third-party JavaScript, and accessibility concerns.

reCAPTCHA v3 runs invisibly and returns a score (0.0–1.0). You pick a threshold below which submissions are blocked. The trade: Google harvests behavioral data from every visitor to every page that loads the script, regardless of whether they submit the form. The script is ~600KB and loads on every page where reCAPTCHA is configured.

hCaptcha is the privacy-positioned alternative. They pay site owners for solved CAPTCHAs (used to train ML models), and they don't harvest data the same way Google does. Same friction problem — visible puzzle, accessibility failures — but cleaner privacy story. For a US-based business that cares about GDPR posture, hCaptcha is the lower-risk choice.

The honest answer for most contact forms: use neither. A honeypot field (bot fills it, human never sees it) catches 40–60% of automated spam. Pair it with a real spam classifier on the backend (splitforms ships one — AI-trained on millions of submissions) and you cover the rest. No visible CAPTCHA, no third-party JS, no accessibility tax. Add CAPTCHA only if you're seeing real abuse the honeypot misses — which is rare for a contact form.

How to set this up

Step 01

Start with a honeypot

One hidden checkbox in the form. Bots fill it, humans never see it. Free, no JS, no third-party. Catches 40-60% of spam.

Step 02

Add a backend classifier

splitforms runs AI spam classification on every submission. Together with honeypot, covers the rest of automated spam.

Step 03

Add CAPTCHA only if needed

If you're seeing genuine human-driven abuse (rare for contact forms), then add reCAPTCHA or hCaptcha. Pick hCaptcha for better privacy.

Step 04

Use reCAPTCHA v3 over v2

v3 is invisible (no puzzle) and uses behavioral scoring. v2 is the visible 'I'm not a robot' checkbox. v3 has lower user friction.

For most forms: honeypot + classifier > reCAPTCHA + accessibility tax.

Frequently asked questions

reCAPTCHA vs hCaptcha — which is better?

Depends on what you care about. reCAPTCHA is free and ubiquitous but harvests user data for Google. hCaptcha is privacy-positioned, GDPR-friendlier, but the UX is similar. For most forms, neither is needed — a honeypot + backend classifier catches most spam.

Is hCaptcha really more private than reCAPTCHA?

Yes, marginally. hCaptcha doesn't have Google's profile of the user; they don't sync data across the web like AdSense does. The script still loads from a third party and runs JS on your visitors, so it's not zero-footprint — just less than reCAPTCHA.

What is reCAPTCHA v3?

reCAPTCHA v3 runs invisibly in the background and returns a score (0.0-1.0) indicating how likely the user is a bot. You set a threshold; submissions below it are blocked. Lower friction than v2's 'I'm not a robot' checkbox but harvests more behavioral data.

Is invisible reCAPTCHA accessible?

Mostly yes — invisible v3 doesn't present a puzzle to most users. But for users flagged as suspicious by the algorithm, v3 falls back to a visible puzzle that's notorious for accessibility failures (screen readers fail, color contrast issues, time pressure).

Do I need CAPTCHA on a contact form?

Probably not. Honeypot + backend AI classifier (splitforms ships both) catches the vast majority of automated spam without any user-facing friction. Add CAPTCHA only if you're seeing real human-driven abuse.

How does splitforms handle spam without CAPTCHA?

Two layers. (1) Honeypot — hidden form field that bots fill but humans don't see; submissions with non-empty honeypot are flagged. (2) AI classifier — every submission scored by an ML model trained on millions of real submissions. Together they catch ~95% of automated spam with zero user friction.

Related guides

HTML forms

HTML Form — How to Build and Submit Forms in HTML

Captcha & spam

Stop Form Spam Bots — Honeypot + AI Classifier Strategy

Ship the form, not the backend.

Free for 1,000 submissions/month. Email delivery, AI spam filtering, signed webhooks, real dashboard — all on the free plan. No credit card.

Get a free access key →